rule MAL_Stashlog_Sep_2021_1 {
   meta:
     description = "Detect Stashlog malware"
     author = "Arkbird_SOLG"
     reference = "https://www.fireeye.com/blog/threat-research/2021/09/unknown-actor-using-clfs-log-files-for-stealth.html"
     date = "2021-09-01"
     hash1 = "720610b9067c8afe857819a098a44cab24e9da5cf6a086351d01b73714afd397"
     hash2 = "869165044402a5f82f4cb8ddd51663ebb05f86345f346f765dcc54b20706cf7c"
     // created from the same builder
     level = "experimental"
     tlp = "White"
     adversary = "-"
   strings:
     $s1 = "497E724A7BA2764BB4570B225601FB693A796873E7847DB943F7FE9E7281C91A443DF1F8519CBB25FC736CC65BF3DE67A82E704BEB698E17" fullword ascii
     $s2 = { 50 83 ec 0c 89 e0 31 c9 89 48 04 89 08 89 48 0c 89 48 08 50 ff 15 1c b2 42 00 c7 05 38 ac 44 00 01 00 00 00 50 83 ec 0c 89 e7 81 ec 04 01 00 00 31 c0 89 e3 89 47 04 89 07 89 47 0c 89 47 08 57 ff 15 1c b2 42 00 ff 25 64 5f 43 00 ff 25 6c 5f 43 00 0f b6 4f 0e 0f b6 47 0f 0f b6 57 0d 89 4d dc 0f b6 4f 0c 89 45 d8 89 55 e0 89 4d e4 ff 25 7c 5f 43 00 8b 4d f0 31 f6 46 31 e9 e8 94 48 01 00 89 f0 8d 65 f4 5e 5f 5b 5d c3 a0 00 30 43 00 8a 15 01 30 43 00 8a 0d 02 30 43 00 f6 d0 80 f2 c1 80 f1 ec a2 40 30 43 00 88 15 41 30 43 00 8a 15 03 30 43 00 88 0d 42 30 43 00 8a 0d 04 30 43 00 80 f2 f4 80 f1 c4 88 15 43 30 43 00 8a 15 05 30 43 00 88 0d 44 30 43 00 8a 0d 06 30 43 00 80 f2 40 80 f1 24 88 15 45 30 43 00 88 0d 46 30 43 00 a0 00 30 43 00 8a 15 01 30 43 00 8a 0d 02 30 43 00 f6 d0 80 f2 c1 80 f1 ec a2 40 30 43 00 88 15 41 30 43 00 8a 15 03 30 43 00 88 0d 42 30 43 00 8a 0d 04 30 43 00 80 f2 f4 80 f1 c4 88 15 43 30 43 00 8a 15 05 30 43 00 88 0d 44 30 43 00 8a 0d 06 30 43 00 80 f2 40 80 f1 24 88 15 45 30 43 00 88 0d 46 30 43 00 ff 25 34 5f 43 00 0f 10 05 08 30 43 00 0f 10 0d 18 30 43 00 a0 28 30 43 00 8a 15 29 30 43 00 8a 0d 2a 30 43 00 0f 57 05 80 b2 42 00 0f 57 0d 90 b2 42 00 34 e9 80 f2 10 80 f1 b3 0f 11 }
     $s3 = { 50 6a 03 50 6a 01 68 00 00 00 80 53 ff 15 00 b2 42 00 31 c0 66 c7 84 24 ae 00 00 00 3a 00 50 6a 03 50 6a 01 68 00 00 00 80 53 ff 15 00 b2 42 00 ff 25 e8 a9 43 00 89 c7 31 c0 83 ff ff 0f 94 c0 ff 24 85 ec a9 43 00 c7 44 24 1c 00 00 00 00 ff 25 28 aa 43 00 0f 57 c0 31 c0 89 84 24 a4 00 00 00 89 84 24 a0 00 00 00 0f 29 84 24 90 00 00 00 0f 29 84 24 80 00 00 00 0f 29 44 24 70 0f 29 44 24 60 0f 29 44 24 50 0f 29 44 24 40 0f 29 44 24 30 ff 25 30 aa 43 00 0f 57 c0 31 c0 89 84 24 a4 00 00 00 89 84 24 a0 00 00 00 0f 29 84 24 90 00 00 00 0f 29 84 24 80 00 00 00 0f 29 44 24 70 0f }
     $s4 = { a1 d8 b1 42 00 89 3b f2 0f 10 00 f2 0f 11 01 a1 d8 b1 42 00 89 3b f2 0f 10 00 f2 0f 11 01 ff 25 68 1f 44 00 89 cb ff 25 70 1f 44 00 31 c9 85 c0 8b 06 8b 5e 0c 0f }
     $s5 = { 31 c0 ff 75 0c ff 75 08 50 50 68 b0 74 43 00 53 ff 15 10 b0 42 00 31 c0 ff 75 0c ff 75 08 50 50 68 b0 74 43 00 53 ff 15 10 b0 42 00 89 c6 ff 25 70 b7 43 00 ff 37 ff 15 0c b0 42 00 8b 4d f0 31 e9 e8 a9 f6 00 00 89 f0 8d 65 f4 5e 5f 5b 5d c3 57 68 19 01 02 00 6a 00 68 70 74 43 00 68 02 00 00 80 ff 15 14 b0 42 00 57 68 19 01 02 00 6a 00 68 70 74 43 00 68 02 00 00 80 ff 15 14 b0 42 00 ff 25 48 b7 43 00 55 }
   condition:
    uint16(0) == 0x5A4D and filesize > 20KB and 4 of ($s*)
}
